Threat Management, Malware, Threat Management

Retefe banking Trojan now targeting UK banking customers

Avast Security researcher Jaromír Hořejší is reporting that the Retefe banking Trojan is now targeting UK banking customers.

Targeting high street banks like Barclays, HSBC, NatWest and Santander- the trojan seems to take anything it can get account login credentials for - anything with “.com” and “” domains:

Attackers use crafted phishing emails, loaded with an attachment which contains a malicious script.  Once opened, s script is triggered which shuts down all browsers and installs a dodgy certificate. The javascript even automates the installation of the certificate by using a powershell script.

Proxy auto-config settings are changed to point to a website on the Tor network. The victims only see the prompt for a few seconds, before it disappears. .

Although the certificate is named Comodo CA, a well known security company, the certificate was actually issued by the designer of the attack. Unfortunately, once a certificate is installed on a computer, the browser will trust any certificates signed with it from any website.

This means that once the user tries to get onto their chosen online bank, they will be redirected to a fake website that lives on the Tor network through a proxy. As a result, any information they enter into that website will be collected by the attackers through the proxy.

All this happens while a secure connection is shown, as the certification appears to be from a reputable source.

“This type of malware is a serious threat for unaware users, because most people trust the certificate signs on HTTPS sites and, therefore, do not verify the certificate's issuer. This makes it easy for the Retefe banker Trojan to steal important data and money,” Avast researchers pointed out.

Banks have been warning their customers of this campaign but chances are that many users have been infected; their info stolen and misused and possibly their account pilfered.

Fraser Kyne, regional SE director at Bromium told that, “any time we interact with the outside world we enter into realms of unfathomable trust.  How can we possibly know if the document we've just been emailed contains malware? We can't reliably detect it in advance (Alan Turing proved this) – so are we resigned to opening things and just hoping that they won't hurt us?”  

Kyne continued, “we need to enable users to safely open any website or document they receive from the outside world. If not, people can't do their jobs. The only way to solve this is to find a practical means of isolating untrustworthy content so that I can safely use it without fear that it'll compromise something I care about.”

Micro Virtualisation might be one solution, added Kyne. In this case, the powershell would run in the isolated microVM, “where it has no way to get out to the real PC, it has nothing to steal, and it has no way to persist.”  

“If we don't take this step,” concluded, Kyne, “then we are stuck with “whack-a-mole” security – and this is a game we've already lost.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.